Belfast Health and Social Care Trust was fined £225,000 by the UK’s ICO (Information Commissioner’s Office) for leaving files in an abandoned hospital. The breach of data affected patients and staff alike. The fine is the second largest that the ICO has handed to date, and indicates the importance the ICO places on data security, be it via the use of laptop encryption software like AlertBoot on laptops or just ensuring you have your paperwork with you.
According to the many sources, including theregister.co.uk,
The Belfast Trust became the latest NHS body to feel the wrath of the ICO after it left 100,000 patient records and 15,000 staff records in boxes, cabinets, on the shelves or on the floor of the Belvoir Park Hospital, closed since 2006.
The article reads like a horror story:
The Trust was landed with responsibility for the site, which had around 40 separate buildings that treated fever and then cancer patients…by the end of 2007, faults in the CCTV and fire and intruder alarms meant they were no longer working so the [two permanent] guards were on their own. Vandals and trespassers got into the buildings and photographed records, which they then posted online, but the Trust didn’t find out about it until someone else told it in March 2010.
The Trust arranged for an inspection of some of the buildings, but parts of the site were cordoned off due to asbestos concerns and a lot of the records had been damaged by damp and mould. The Trust upped security and fixed damaged doors and windows, but the Irish News reported in April last year that it was still possible to get onto the site.
Asbestos, eh? I guess that’s one way you could secure a site and discourage trespassing (but then, how can you account for people who insist on smoking despite lung cancer and obscene annual mark-ups on tobacco?)
Let’s face it: if you have records going back to decades and left to damaged by damp and mold…you probably don’t need those records.
Fine Probably Includes More than Penalty for Breach
Over at the ICO’s website, you can find some additional details not reported at theregister.co.uk. Namely, some of the records dated “back to the 1950s” and that,
on 11 April 2011, the Irish News reported that it was still possible to access the site without authorisation. The Trust then increased the number of security guards on site and carried out a full inspection which revealed further records, many of which were being retained in breach of the Trust’s ‘Records Retention and Disposal’ policy. [ico.gov.uk]
The kicker, though (my emphasis):
The Trust failed to report the situation at the Belvoir Park site to the ICO. The ICO’s investigation found that the Trust failed to keep the information secure and also to securely destroy medical documents which it no longer required.
Uh, hello? Are these guys insane? I mean, it was reported in the news. Why didn’t they notify the ICO? Did they really think it “wouldn’t get out”? Does no one pay attention to the Irish News? Ridiculous behavior. I’m sure the monetary penalty must have been upped for failing to disclose the breach to the ICO.
Remember: data security is about securing data. The stuff in your computer is data, but so is the stuff on paper. Don’t forget to secure it as well.
And, don’t rest on your laurels because you’re using encryption software or some other type of data protection tool. They go a long ways towards securing sensitive information, but they’re not perfect. Data security, like freedom, is about constant vigilance.
Related Articles and Sites: